The EWI Encryption Report: Stop Trying to Sell Me a Shoebox

Author(s): 
Publication Type: 
Other Writing
Publication Date: 
March 7, 2018

Which would you prefer: keeping your valuables in a locked safe, or keeping them in a shoebox and trusting that everyone will adhere to laws against theft and their concomitant penalties? Most, if not all, of us will choose the former. That’s so even if we realize that safe-crackers may ultimately find a way someday to bust open even the most top-of-the-line safe currently on offer.

Yet in its new policy report on encryption, the East-West Institute has announced a policy preference for a regime that requires us all to use digital shoeboxes instead of safes, and to simply trust that the police — and all the burglars out there — will behave themselves, because there will be rules about whether, when, how, and by whom it’s OK to raid the shoebox.

The report’s over-reliance on trust in the government is one of many insights in this great review of EWI’s report on Lawfare by my Stanford colleague Herb Lin. As the report’s acknowledgments note, Herb and I both provided comments and feedback to EWI during the report’s development. But (as Herb predicted) I disagree strongly with its conclusions as well as its underlying assumptions. I don’t think the report is focusing on the right question, and although its aim is to help move the discussion around encryption forward, I believe it keeps that discussion stuck in the past.

As Herb points out, EWI’s report “assumes away some of the most important concerns of those in privacy and technology communities” when it comes to proposals to regulate strong encryption. (I’m using the term “strong encryption” in the sense the privacy community uses it, as elucidated by Herb: “encryption with zero likelihood that the ciphertext it produces can be decrypted by anyone other than the intended recipient.”) He notes that the report largely holds back from recommending the imposition on law enforcement of “hard measures”: “actions that impose legally enforceable requirements for certain visible and operational behaviors.”

Read the full post at Just Security